[UPHPU] User Login suggestions

[David Smith]

<quote who="Tierra">
> On Thu, 2 Sep 2004 14:04:43 -0600 (MDT), David Smith <davidsmith at byu.net>
> wrote:
>> <quote who="Tierra">
>> > I could go on about RSA encryption, SSL, and others as I've coded up
>> > my own very secure login system.
>>
>> Do share!
>>
>> --Dave
>
> You asked for it! (well, demanded, but it doesn't matter) =)
>
> If you don't have the funds or getting a _signed_ SSL certificate
> isn't worth the hassle, you can still sign your own certificates and
> still run the entire user session over encryption, only the user will
> be asked if your certificate is acceptable everytime they visit the
> site. If you don't want that message either, then your still not out
> of luck. You can program some standard Javascript RSA encryption and
> send to the client to encrypt any data they will be sending back to
> the server (in my case, I encrypt the password, it's a little more
> cumbersome to encrypt all the POST data, and the HTTP request can
> still be seen since your not running through standard SSL anyway).
> That's done with the help of PHP and a MySQL table that keeps track of
> all keys sent to clients on their different IP addresses so it can
> decrypt the data when it's sent back (were still working with multiple
> connections).
>
> Should I go on about how PHP, Javascript, and MySQL handles the
> encryption?

A couple years ago, I was looking for an RSA Javascript solution to
encrypt passwords on the client side without an SSL HTTP session for the
uug.byu.edu site. I couldn't find a solution, so I just settled for a less
secure setup with clear password transfer (and a little warning note). Did
you write your own Javascript RSA implementation, or did you find one? How
did you distributeyour RSA public key to the Javascript clients? Via HTTP
or embedded in the script? How did your clients validate the authenticity
of the key? You've got my curiosity going now.

--Dave